Rep. Gohmert Wants A Law That Allows Victims To Destroy The Computers Of People Who Hacked Them

from the do-these-people-even-listen-to-themselves? dept

Last week, we had talked about some concerns about how various cybersecurity provisions would allow those hit by malicious hackers to "hack back" or, as some call it, engage in an "active defense." There were significant concerns about this, but as Marvin Ammori briefly mentioned in last week's favorites post, Rep. Louis Gohmert seems to not only think hacking back is a good idea, but that it should be explicitly allowed under the CFAA (Computer Fraud and Abuse Act). You can see his explicit statements to this effect below during last week's House Judiciary Committee hearing on the CFAA. It appears he heard a story about someone installing some malware on a hacker's computer to get a photograph of them, and has decided "that's a good thing, that helps you get at the bad guys," without ever thinking of the very, very long list of dangerous consequences of allowing such things:

Here's the basic transcript. The really crazy part is where Gohmert says he doesn't care as long as the hack back is "destroying that hacker's computer."

Rep. Gohmert: It's my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?

Orin Kerr: It depends exactly what you mean by "taking control." If "taking control" includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.

Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker's computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think 'that's terrific, that helps you get at the bad guys.' But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I'm wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker's computer, that it's not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?

Orin Kerr: Mr. Gohmert, that's a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this "hacking back" as they refer to it. But at least under current law, it is mostly illegal to do that.... The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it's something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.

Rep. Gohmert: Well, I'm not sure that I would care if it destroyed a hacker's computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don't hurt him too bad?

Orin Kerr: (brief confounded look on his face) Uh... no. The difficulty is that you don't know who the hacker is. So it might be that you think the hacker is one person, but their routing communications... Let's say, you think you're being hacked by a French company, or even a company in the United States...

Rep. Gohmert: Oh and it might be the United States Government! And we don't want to hurt them if they're snooping on our people. Is that...?

Orin Kerr: No.

Rep. Gohmert: I don't understand why you're wanting to be protective of the hacker.

Orin Kerr: The difficulty is first, identifying who is the hacker. You don't know when someone's intruding into your network who's behind it. So all you'll know is that there's an IP address that seems to go back to a specific computer. But you won't know who it is who's behind the attack. That's the difficulty.

First off, kudos to Orin Kerr for keeping a (mostly) straight face through that exchange. There are many amazing things about this particular exchange, but the fact that Rep. Gohmert is one of the people in charge of how the CFAA gets reformed, and doesn't understand these very basic concepts, is immensely troubling. Among the headsmackers in that exchange: the idea that hackers are bad -- and not just partially bad, but apparently obviously and totally bad, like out of a movie. Also: that they're somehow easy to identify and that a freebie on hackbacks wouldn't be abused in amazing ways. Further, as Kerr pretty clearly points out that you can't automatically track back and (without saying so directly, but clearly implying) that hackers likely would shield their identity or fake someone else's identity, Gohmert still doesn't get it and somehow thinks that Kerr is saying we don't want to allow hackbacks on US government snooping (which, again, Gohmert seems to have no problem with). Yikes. Please do not let people like this near laws that have anything to do with computers. To me, this level of misunderstanding is worse than the whole "series of tubes" garbage from a few years back by Senator Stevens.

I'm sorry, but it seems that if you can't understand that there isn't some magic list that says "these hackers are bad, and therefore we should destroy their computers," I don't think you should have any role in making laws around this topic.

Gohmert the unbearable

Let's see...

This is the same guy that wants to lock up journalists, shut down the government, stop the government from spending money on its citizens, keep taxes lowered ok the richest people, believes in gerrymandered districts over democratic rights of the people, denies climate change based on his bribes from the oil industry, and his overall morality is atrocious when it's based on being a self-centered power hungry mad man who treats the public like serfs and peasants instead of people with valid concerns.

Have I missed anything or does anyone else see the problem with these people in office supporting the worst representation of American culture?

Mike you owe me a new desk. I face-desked and I couldn't stop myself from doing so repeatedly after reading that exchange (including the bit where questioning this bill automatically means you're somehow protective of the hacker...)

Unlike other bills that simply tack on the word cyber and say there's a difference because its on a computer...just because...in this case there actually IS a difference. Since he's using the analogy of self defence, if I'm being attacked physically, I can see who's attacking me. I can fight back against those who are clearly identifiable as my attackers. Not so with a hacker. They're going to rout through and use proxies, so just like with Six Strikes, this means allowing harm to innocents because the lawmakers and policy pushers are complete and total morons.

If this passes then I wouldn't put it past the likes of Prenda Law etc. to seek the destruction of the computers from the people that pay up or take the people to court that they accuse for copyright infringement. The likes of Prenda Law will say something along the lines that those who committed copyright infringement with downloading from bittorent hacked into the computer that was in the office to get the file that they downloaded.

Re:

Better example.

1) User A is a troll who posts the password to their forum account online.
2) User B uses the password to log in as User A and make a few joke posts for fun.
3) User A then tricks User B into clicking on some bad links to install malware on their computer, which lets User A take control of User B's computer.
4) User A steals User B's bank account information and steals all their money, and then floods User B's hard drive with a bunch of junk files saying "You suck User B".
5) User B finds out that they've been hacked and robbed, and goes to the police and FBI.
6) In court User A points out that User B 'hacked' into their forum user account first, so all their retaliation hacking against User B is perfectly legal thanks to Rep Gohmert.
7) Case is dismissed against User A. User B is charged with hacking under the CFAA, and is still out over $100,000 stolen by User A.
8) User A goes on to get himself 'hacked' by more 'victims' for a living, and the federal government continues to lock up those 'victims' for 5 or more years.
9) User A gives very big campaign donations to Rep Gohmert, so everyone wins! Everyone except User B's!

Re: Re: Gohmert the unbearable

Orin most certainly did not throw cold water on the concept and dismiss it out of hand. What Orin did do is note that the "devil is in the details" if one is to avoid an overinclusive bill. Perhaps one should read Orin Kerr's published articles in law and other journals before jumping the gun...

as usual, a fucking idiot is trying to deal with a technology that he has no clue about, doesn't understand and yet he thinks, just like the entertainment industries, that an IP address is definitive proof of a person, an identity. courts have taken a long time to realise it but now do so more usually than not that an IP address is nothing more than identifying the name on the bills for that internet account. it does not identify the user of that account every second of every day! how do these morons ever get through school, let alone get elected into positions of such power that they can make or break something, everything for everyone for a long time to come, if not forever!!

Re: Re:

two problems: 1) the way Rep. Gohmert is saying it, you being hacked would entitle you to hack the other computer, it isn't limited as to when. So, if you were attacked by a computer using the IP address 127.0.0.1, then you could attack the computer at IP Address 127.0.0.1. Unfortunately, you attacked a month later, and it was a different computer you destroyed. So, what's the legal position?
2) how do you identify a counterhack? If a victim of hacking can counterhack, how do you determine they actually were hacked in the first place? It could become a defense that makes the law utterly toothless.

For the inexperienced, this might seem like a good idea. After all, the argument with guns is often made that the best way to prevent random shootings is to arm everyone. People are much less likely to simply shoot randomly if they know they'll be the second one shot at. However, in the case of hacking, we're discussing something altogether different. Each computer/device/router on the internet, while (most are) privately owned, actually constitute a whole that is publicly used. If you allow hacking legally, you need a very effective law enforcement agency to prevent abuse of the legality of hacking (i.e. to enforce the law with regards to legal/illegal hacking). There is no such law enforcement right now that I can see.

Yeah, right... and five minutes after the law is passed, we'll be living on a planet with no working computers, because there are already a lot of paranoid people who think EVERYTHING is trying to hack their PCs etc.... not that they're very far from truth, actually, but...

The stupid...it hurts...Lets also make a law that says it's OK to kill someone that you think, maybe, might be, but you're not quite sure, trying to kill you.

I think we should pass a law that states "In order to pass legislation on a particular subject, you must first pass a college level test on that subject". Hell, even a high schooler with basic IT knowledge would know that's idiotic.

Re:

And can be none. It's too easy to conceal your identity on the internet--which is Kerr's whole point, although he describes it rather poorly in the clip. How can you police a massive group of essentially anonymous PC's many, if not most of which reside in other jurisdictions and countries?

Well...

I'm not in favor of this sort of thing, but I think there should be some special loopholes in a very few cases. Example: Microsoft/Norton/Whoever gains control of a spambot C&C server. Using this they could "infect" the individual bot machines with a removal tool. Or send a signal to shut down the bot software. Currently they won't do this because of the CFAA, all they can do is take down the server. Which leaves the botnet up and running, just missing a head - which can be relatively easily replaced.

So if you hacked back, would the original hacker have the right to hack you back? And then you can hack back again? And the hacker can hack back again?

If you hack back the wrong person, does that person have the right to hack back against you?

Oh, and this could create jobs, couldn't it? I mean, now every public library and coffee house with public wi-fi will need to hire a new security expert just to protect the network from all the hackbacks triggered by hackers using them to launch the initial attack.

Maybe this will help

There seems to be an invested interest in not understanding the relation of IP addresses to individuals, so let me us this analogy. An IP address is NOT like your home address that you have lived in for years, it IS LIKE a hotel room number that you only stayed in a few days (or perhaps a few hours).

Attacking people or charging them with crimes based on an IP address, is like charging the current resident of a hotel room with a crime that was committed there last month.

Re: Re: Re:

I just wanted to clarify something here as I was slightly confuzzled by some misinformation here even though the point is valid.

- 127.0.0.1 references the loopback interface (actually anything in the 127.0.0.x range does) which won't allow you to access another computer according to IE specs. Just to clarify. Thus, you're either hacking yourself or incorrectly identifying the source of the original attack. This is one such problem with the whole thing...identification of the ACTUAL source.

- Assuming you correctly identified the source, IP addresses change as you noted. So while you can identify the specific attacking computer at a given point in time (assuming you can correctly do so), you still have a risk that the address of the computer that actually performed the act changes before you can respond. Now, granted, if you respond in a very short period of time, the likelihood of the IP address changing is slim, but legally, you have to consider the ramifications of a possible change in address between action and reaction.

Hacking vs land mines

Actually, I think it should be, and can be argued to be, legal for you to install any software you wish on your own computer. Including malicious software that lies in wait and can only be activated when your machine is hacked into. That isn't hacking. That's using my personal property as I see fit, in a way that does no harm to anybody unless they are violating my personal property.

The second issue, making hacking back legal, is absolutely insane. Ignoring the script kiddies, any hacking is probably coming from another compromised machine, not one owned by the hacker. So the hack-back will not affect the hacker, but will cause further harm to a different victim.

Re:

How you explain this to idiots like this one:

Me: Here's an example. Suppose you have a computer.
G: OK.
M: And someone takes it over without your knowledge.
G: OK.
M: They then use it to attack my computer. To me, it looks like the attack is coming from your computer (because it is.)
G: OK.
M: Are you suggesting that I should have the legal right to destroy your computer because it's attacking me?
G: Well, no.
M: OK, then. Shut up and let the adults discuss this.

One thing I think this clip clearly shows is that the very people that we need to have advising on legislation like this do a very poor job translating all the technical details into terms the legislators--some of whom seem to have less of a grasp of technology than your average grade schooler--need to understand. Once you start throwing terms like "routing communications" and "IP address" out there, you've lost them. Kerr was confusing Rep. Gohmert rather than informing him.

This is something the lobbyists and "experts" for some other industries do very well. Their positions and statements may be utter crap--but at least it's understandable crap--and this is why we get crappy laws.

Re: Hacking vs land mines

First is you can install anything you like and if that happens to be a nastygram piece of malicious code that destroys a hackers computer after they've stolen it, so be it.. Should be legal..

The second, which as I read it does not follow the story anyway is a back-hack after the event against the IP who attacked you.. While that may sound like fun it's entirely to dangerous as who can say 100% you get the right IP to attack...

The whole thing reminds me of Ghost in the Shell where everyone's Cyborized with external computing and memory.. When someone gets hacked there they get blocked by active firewalls called Phages which backtrace the connection immediately and fry the brain of the attacker.. Perhaps this Senator's been watching too much Manga?

Re:

It is FAR worse than that.

Move this out of the 'computer hacking' arena and it is totally nuts. He refers to self-defense, but self-defense laws are very narrowly defined and require imminent harm. Until there is a hack that is going to kill people through their keyboards, we are not talking about self-defense.

This is defense of property. As far as I am aware, there are no states that allow me to go throw a rock through my neighbor's window if they threw one through mine. That would be insane. You call the police and they investigate or you bring a civil action.

Anyone that suggests that 'hacking back' is a solution needs to hand in their citizenship card and move to the stone ages or some country that we just bombed (possibly back into the stone ages).

How is this worse than "Series of Tubes" Stevens?

To me, this level of misunderstanding is worse than the whole "series of tubes" garbage from a few years back by Senator Stevens.

I'm not disagreeing, but I'm curious how this is worse than Ted Stevens?

I think Stevens displayed an even thinner grasp of understanding of the internet than Gohmert is doing, currently. I think Gohmert seems to understand how computers work, but is just showing a limited amount of thought into the issue (or a limited ability to reason out his own argument).

Stevens' display of understanding was terrible, and I don't see how this is worse (bad as it is). So my question is whether I'm missing something, myself.

Re:

You might be able to argue against sony for that DRM rootkit debacle. Heck, under this version of the law, you might even be able to make a case for legally attacking the US government if you're infected with stuxnet.

Re: Well...

Botnet C&C machines are a tempting target for this type of activity, but on the whole I think it's a mistake to declare attacking the legal. There are far too many ways for this horribly, horribly wrong.

Re:

Unfortunately, collaboration between the two main parties prevents this from happening. They use "us versus them" team spirit psychology to keep the public too busy slinging mud at each other to notice that both candidates are actually nearly identical.

Every election is a choice between voting for an idiot or a moron. Heads they win, tails we lose. It's a vicious cycle, and as long as big businesses can keep funding both parties to guarantee favorable legislation, it'll probably keep going for a long time.

Re: Re:

Re: Hacking vs land mines

Actually, I think it should be, and can be argued to be, legal for you to install any software you wish on your own computer.

Apple would disagree with you on this, and Micro$oft is moving in the same direction. The MAFIAA would love to be able to control everyone's computers, so that they can kill all forms of piracy.
Long Live Linux and the BSDs.

Re: Re: Re:

Don't forget, a hacker could first hack into another computer before hacking into your computer from it. You would have a hard time knowing this, and you'd most likely end up counter-hacking a poor guy who just had his computer hacked as well.

Oh and if that poor guy caught in the middle found out you're hacking him, he could hack you back... Because to him you'd look like an original hacker, he would not know you're trying to counter-hack.

And wait until hackers plant false evidence that you were a hacker yourself, so they can claim they were counter-hacking you.

Seriously, legalizing counter-hacking is just loads of bullshit. If you're being hacked, just block the IP address hacking you and contact the authorities.

Somebody has to suggest it...

This may sound like a conspiracy theory, but it has happened before.
Might this be the copyright industry trying to use the guise of hacking to get a law introduced that will later be expanded to include them? Legal to hack "back" infringes?
The reason I suggest this is due to the fact that they have introduced other measures with buzzwords, just because it would go easier with the public, judges and politicians. An example of this is the danish Anti Piracy Group who made the child porn filter because "Childporn is a thing they understand". And they then, as planned, got it expanded to include other sites.
It might sound insane for some, but really when you think about it: Hacking and Cyber are the new buzzwords and judging by other stuff that group has done or suggested over the years, would you really be surprised?
Links about what was said by the danish APG boss about the filter:https://www.techdirt.com/articles/20100427/1437179198.shtmlhttps://christianengstrom.word press.com/2010/04/27/ifpis-child-porn-strategy/

Some good comments here

HOW easy is it to TRACK a bot/advert that has been installed on your computer.

You goto a site that has ADVERTS and 1 installs its cookie on your system, that TRACKS you, all over the net..
It opens a backdoor for OTHER ADVERTS for what it THINKS you are looking for..

This idea(from the article) will take a TON of discussion and cleanup, of WHAT/WHO is a hack..

I mean, if the GOV. REALLY wanted to track this crap down, they would hok up with a few companies like spybot/AVAST/Malwarebyte and ADD tracking to the data.
THINK about it..You get a BOT from a site and its LOGGED where you got it..NOT ANONYMOUS..

A few years back I had a CLEAN MACHINE..and had to install updates and protection. It was dialup, so connected and the FIRST SITE it went to was MSN.. 7 virus and 37 bots from the FRONT PAGE. It took 15 minutes to gain control of the computer...and 6 more hours to clean up..
I sent a letter to MSN..1 year later they QUIT adverts from 3rd parties.

Then comes the thought, of WHO do you hold responsible?
THE SITE? They didnt SCAN and clean it..

You have to understand WHY adverts are all OVER the place..
SOMEONE IS GETTING PAID. and there has to be INFO in the bot, of WHO DID IT..so they can get paid.
The Company wanted Adverts, they shipped it to an ADVERt company, they shipped it to person to DO THE WORK..

NOW:
COMMENTS:
STUXNET..look it up.
Do you think the Other countries have rights to BOMB the USA with virus after we did it to THEM?? Do you REALLY think this is the first time?

COMPUTER security is FAIRLY SIMPLE..
1. MAJOR systems DONT HAVE ACCESS TO THE NET..
2. ANY outside data to be installed is SCANNED(HEAVILY) before being inserted..from DECODERS to AV/BOT scanners..
3. ALL input data is TESTED ON REMOTE/OFFLINE systems FIRST. NOT on the primary system..

Re: Gohmert the unbearable

Nope, that about sums it up... keep in mind the guy is from texas... and given my experience with texas politicians, the ones that get the most attention are the ones that say the most outrageous things (or those who have the lowest IQ). Before anyone gets butthurt about it, im not saying all texas politicians are dumb... just those that get the most attnention it seems.

There would be interesting side effects...

Re: Re: Re: Re:

You haven't played uplink?

The first step of tracing the hack backwards is checking the connection log to see if this was an origination point or just a step along the way. Of course, you need to use a log undeleter with a high enough level to make sure it wasn't just falsified!

Re: Re: Re: Re:

I am the AC who posted that: I was using the loopback IP address in the example to avoid using an IP address that someone might actually be using. Therefore, please ignore the fatc ti is the looback address.

If you have credible evidence of a crime, you should bring it to the proper authorities. It is not in the best interests of civilized society to allow vigilantes to take the law into their own hands for vengeance.

Re: Gohmert the unbearable

Re: Gohmert the unbearable

I agree with the consensus of the comments (as I interpret it) as follows:
1- leaving malicious code in a honeypot as a counter-measure/defense to attack on your systems is ethical, appropriate, and justified
2- tracing the origin of the attack in order to attempt a hackback is too difficult and a foolish idea